Website Privacy Policy: when should I get one?

Nearly all websites gather information about their users on some level, often with the aim to recognise and serve their visitors better. Privacy policies effectively help website operators to comply with their legal obligations to process data ‘fairly’, such that it is only collected for specified and legitimate purposes and is held no longer than necessary. Whilst displaying an online privacy policy is not strictly a legal requirement for website operators, having one in place goes a long way to ensuring compliance with important national and international privacy laws. Where website operators hold data in a number of countries, they will need to ensure that they comply with the privacy laws in each of those countries.

Why is it Important?

Online hacking and customer data leaks are a source of embarrassment for reputable online businesses; having a clear and prominent link to an up-to-date privacy policy on a website’s home page helps to promote confidence among its visitors in your website and use of their personal data.

What it is / what should be included?

The collection and processing of personal data by websites must comply with data protection laws. Among other principles, these laws include a requirement to obtain “informed” user consent to the handling of their data. Explaining how such data will be collected and shared is where the privacy policy comes into play and, if drafted well, will constitute informed consent by the user.
Detailed privacy policies are more than just a short notice reassuring visitors that their data is collected and held securely. They should also consider and cover the following points:

Who is collecting the information? This must be clearly stated at the outset.

What types of information are collected? Along with customer names, contact and payment details might also be automated technical information about their browser type, pages viewed and time spent on each page. Where sensitive personal data is collected (e.g. information relating to religious beliefs or ethnic origin), explicit user consent will be required.

How is their data used? Information must only be carried out for defined purposes (e.g. for delivery, billing or surveys). Where these change over time, fresh consent will be needed.

When will the information be shared with others? When and why user data may be disclosed to third parties (e.g. to advertisers or third party payment providers) must be set out.

How is the data stored? If user information is transferred to countries outside the EEA, they must consent to this. Stating this in the privacy policy acts as implied consent. Security measures taken to protect user data can also be highlighted here.

Will visitors be targeted with marketing? The law is very clear about when customers can and can’t be sent marketing communications. Generally they must have opted in and should be given an easy way to opt out.

What cookies are used and for what purposes? Cookies are small text files placed on a web user’s browser to track their habits and improve the website. Visitors’ consent must now be sought before using any non-essential cookies (which would include behavioural cookies tracking things like users’ browser habits). Typically this consent is sought via the privacy policy or a separate cookie policy.

User rights of access. Website visitors have a right to make what’s called a ‘subject access request’ to see what information is being held by the website operator and for what purpose.

It’s also worth noting that most businesses processing personal data need to pay an annual fee and register with the Information Commissioner’s Office.

Disclaimer: Tact is not a law firm or a substitute for law firm or a lawyer.
We cannot provide any kind of advice, recommendation or opinion about possible legal strategies, remedies, rights, defenses or options.
At your direction, Tact provides access to self-help services, legal templates and independent lawyers.
The legal templates you may obtain from Tact are provided solely as a starting point, not as final, ready-made agreements, and are provided AS-IS and with no guarantees or warranties whatsoever.
When working with Tact, you are protected by our Privacy Policy, but not by the attorney-client and work product privileges.
Further, use and access to our website is subject to our Terms and Conditions.
Tact is a trade name of Check-A-Contract Ltd.